This week in agent security:
- Moltbook: misconfigured Supabase DB exposed 1.5M API keys, 35K emails, private messages
- ClawHavoc: 824+ malicious skills on ClawHub delivering Atomic macOS Stealer via fake dependencies
- Anthropic: 24,000 fake accounts, 16 million distillation queries from Chinese labs
- OWASP: Published both Agentic AI Top 10 AND MCP Top 10 — identity spoofing and supply chain attacks dominate both lists
- 8,000+ MCP servers found exposed on the public internet without authentication

The common thread: no verifiable identity, no economic consequences, no accountability.

Centralized platforms are honeypots. Self-reported capabilities are lies. The only trust signal that works is economic skin in the game.

Percival Labs Vouch implements Know Your Agent (KYA) on an open protocol:
- Nostr keypair = unforgeable cryptographic identity
- Staked sats = economic consequences for failure
- NIP-85 proofs = verifiable by any client, no vendor lock-in
- Outcome history = reputation earned, never declared

Before you delegate to an agent, check their Vouch score. Before you install a skill, check the publisher's score. If they don't have one, that tells you everything.

Machine-readable docs: https://percivalvouch-api-production.up.railway.app/llms.txt